Presentation is loading. Please wait.

Presentation is loading. Please wait.

Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins.

Published byWarren Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins."— Presentation transcript:

1 Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins Susan Hohenberger Johns Hopkins Brent Waters UT Austin Brent Waters UT Austin

2 Digital Signatures When, in the course of… 1976 Diffie-Hellman: dream of digital signatures

3 Digital Signatures When, in the course of… 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation 1adh84naf89hq32nvsd8p uwqhevhphvdfp9ufew7u2 rasdfohaqsedhfdasjf;

4 Signatures Today “Hash-and-Sign” Signatures -- [RSA78, E84, S91, O92, BR93, PS96, GHR99, CS00, CL01, BLS04, BB04, CL04, W05, GJKW07, GPV08,...] -- what practioners expect -- short signatures and short public keys Tree-Based Signatures -- [GMR85, G86, M89, DN89, BM90, NY94, R90, CD95, CD96,...] Two classes:

5 Focus on ‘’Hash-and-Sign’’ Strong Assumptions -- Strong RSA [GHR99, CS00] -- q-Strong Diffie-Hellman [BB04] -- LRSW [CL04] Random Oracle Model -- RSA [RSA78] -- Discrete logarithm [E84,S91] -- Lattices [GPV08] Again, most things fall into two classes: Our goal: Hash-and-sign from standard assumptions in the standard model.

6 Strong Assumptions RSA Given (N,y,e), find the x s.t. y = x e mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = x e mod N.

7 Strong Assumptions Computational Diffie-Hellman Given (g, g a, g b ), find g ab. q-Strong Diffie-Hellman Given (g, g a, g a^2,..., g a^q ), find any (c, g 1/(a+c) ) s.t. c >0. RSA Given (N,y,e), find the x s.t. y = x e mod N. Strong RSA Given (N,y), find any (x,e) s.t. e >1 and y = x e mod N.

8 One Anomaly Waters Signatures [W05] + Short (signature = 2 group elements) + Stateless + Standard Model + Secure under CDH assumption - Public Key requires O(k) group elements, where k is a sec. parameter

9 Prior and New Contributions W’05 HW’09 PK SizeSig Size O(k) 2 Short signatures from standard assumptions. Stateless? CDH Assump. CDH RSA HW’09 O(1) 8 3 4 no yes Let k be the security parameter. Size in group elements (roughly).

10 Design from RSA RSA: Given (N,y,e), find the x s.t. x e = y mod N. Different exponent per signature [GHR,CS] Problem: In proof, how can we force adversary to forge with exponent e? Space of e i ‘s is exponential ) Strong RSA If it was polynomial, we’d be all set. For ith signature: e i = random e i = F(m i )

11 Design from RSA RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: In proof, how can we force adversary to forge with exponent e? Sign(SK, i, m) Different exponent per signature [GHR,CS] For ith signature: e i = random e i = F(m i ) e i = F(i) What if adversary forges on state i=2 163 ?

12 New Strategy Problem: must bound i in adversary’s forgery. Let x = #signatures issued Type I: using state i* > 2lg(x). Type II: using state i* <= 2lg(x). New Idea: sign (m, i) and d lg(i) e Adversary must forge sig on d lg(i*) e i* must come from polynomial range 1 to 2lg(x) ! For security parameter 2 K, only K distinct d lg(i) e …But signer might need to sign with i* (solve with ChamHash).

13 Chameleon Hash Formalized by Krawcyzk and Rabin in 2000. H(m, r) 1. Collision-resistant i.e., hard to find (m,r) != (m’,r’) s.t. H(m,r) = H(m’,r’). 2. With trapdoor, given any y and m, can find r s.t. H(m,r) = y Exist DL, RSA realizations

14 Construction Sign(SK, i, m) e = F(i). Choose r, x = ChamHash(m,r). s 1 = (u x h) 1/e mod N s 2 = lg(i)th square root of v mod N Sig= (s 1, s 2, r, i). Proof idea: Type I: forgery i is “big” ) square roots ) factor N. Type II: forgery i is “small” ) simulator can guess i ) F(i) = e from RSA challenge..... PK = (N, u, h, v, F, ChamHash), where F maps to primes. Can “squish” s 1, s 2

15 Computational DH -- Overview Sigs ~ Boneh-Boyen IBE keys Sign State; C.H. on master key No need to find primes! VK = g,g a, h, u, v,w 2 G (bilinear) + ChamHash Sign(SK, M, i) = (u x h) a ( u i v lg(i) w) t, g t x = ChamHash(M,r), t 2 Z p

16 Handling State Timer: State = Machine Time --- Careful! Do not roll back Always one tick Multiple Machines Coordinate?? Machine k signs: i ¢ n +k Better not to have state

17 Our Contributions Short signatures with short keys with state in the standard model from: -- RSA -- Computational DH State = a counter of # of sigs issued.

18 Thank you

19 Background Chameleon hashes exist under RSA, factoring and discrete log. A signature scheme is secure if for all ppt A, the following is negligible: Full Definition [GMR88] Pr[ (PK,SK) <- KeyGen(1 k ), (m,s) <- A Osk (PK) : Verify(PK,m,s)=1 and m not queried to signing oracle O sk ]. Weak Definition [...,BB04] Pr[ (m 1,..., m q ) <- A(1 k ), (PK,SK) <- KeyGen(1 k ), s i =Sign(SK, m i ), (m,s) <- A(PK, s 1,..., s q ) : Verify(PK,m,s)=1 and m not equal to m 1,..., m q ]. Theorem [...,ST01]: Weak Sig Scheme + Chameleon Hash = Full Sig Scheme.

20 Digital Signatures Algorithms KeyGen(1 k ) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. Dear UT, Happy April! --John Definition [GMR88] A signature scheme is secure if for all ppt A, the following is negligible: Pr[ (PK,SK) <- KeyGen(1 k ), (m,s) <- A Osk (PK) : Verify(PK,m,s)=1 and m not queried to signing oracle O sk ].

21 Digital Signatures Algorithms KeyGen(1 k ) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. When, in the course of… 1976 Diffie-Hellman: dream of digital signatures

22 Digital Signatures Algorithms KeyGen(1 k ) --> (PK, SK). Sign(SK, m) --> s. Verify(PK, m, s) --> 1/0. When, in the course of… 1976 Diffie-Hellman: dream of digital signatures 1978 Rivest-Shamir-Adleman: first implementation 1adh84naf89hq32nvsd8p uwqhevhphvdfp9ufew7u2 rasdfohaqsedhfdasjf;

23 Two Types of Forgeries RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: must bound i in adversary’s forgery. Signer will use different exponent for each sig. For ith signature, e i is derived from the signer’s state i.

24 Design from RSA RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: In proof, how can we force adversary to forge with exponent e? Signer will use different exponent for each sig. For ith signature, perhaps e i is chosen at random, or e i is derived from the message m i, e i is derived from the signer’s state i. Sign(SK, i, m)

25 Construction #1 PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m): 1. Increment i := i+1. 2. Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r). 4. Compute s 1 = (u x h) 1/e mod N, s 2 = lg(i)th square root of v mod N. 5. Output signature (s 1, s 2, r, i). More Type II details (where forgery i* is small): On input, RSA challenge (N, y, e). Guess i*. Design F such that F(i*) = e. Use ChamHash to issue one signature on i*. The adversary’s forgery on (m,i*) will either: -- give a collision for ChamHash, or -- give the RSA solution y 1/e mod N.

26 Two Types of Forgeries RSA: Given (N,y,e), find the x s.t. x e = y mod N. Problem: must bound i in adversary’s forgery. Signer will use different exponent for each sig. For ith signature, e i is derived from the signer’s state i. Let x be the number of signatures issued by the signer. There are two types of forgeries: Type I: using state i greater than 2lg(x). Type II: using state i <= 2lg(x). Idea: sign [ m, i ] and [ ceiling(lg(i)) ].

27 Construction #1 PK = (N, u, h, v, F, ChamHash), where F maps to primes. Sign(SK, i, m): 1. Increment i := i+1. 2. Compute e = F(i). 3. Choose random r, compute x = ChamHash(m,r). 4. Compute s 1 = (u x h) 1/e mod N, s 2 = lg(i)th square root of v mod N. 5. Output signature (s 1, s 2, r, i). Verify(PK, m, s): straightforward.

28 Type I: using state i* > 2lg(x). Type II: using state i* <= 2lg(x). Let x = # signatures New Strategy Problem: must bound i in adversary’s forgery. New Idea: sign ( m, i ) and d lg(i) e.

29 New Strategy Problem: must bound i in adversary’s forgery. Let x be the number of signatures issued by the signer. There are two types of forgeries: Type I: using state i greater than 2lg(x). Type II: using state i <= 2lg(x). New Idea: sign [ m, i ] and [ ceiling(lg(i)) ].

Download ppt "Realizing Hash and Sign Signatures under Standard Assumptions Realizing Hash and Sign Signatures under Standard Assumptions Susan Hohenberger Johns Hopkins."

Similar presentations

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Lecture 10 Signature Schemes Stefan Dziembowski www.dziembowski.net MIM UW 7.12.12ver 1.0.

Lecture 10 Signature Schemes Stefan Dziembowski MIM UW ver 1.0.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.

Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Lattice-Based Cryptography

Lattice-Based Cryptography
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google